Reset conntrack...
Henrik Nordstrom
hno at marasystems.com
Sat Dec 4 15:51:50 CET 2004
On Fri, 3 Dec 2004, Sven Anders wrote:
> ~ 1) Recheck all CONNTRACK entries against the new firewall rules.
>
> ~ 2) Set all CONNTRACK entries with states RELATED or ESTABLISHED to
> ~ NEW, to force the recheck.
Setting it to NEW won't help you as this discards the current conntrack
entry, and if the next packet is return traffic or on an related
connection your ruleset will get very upset.
> Is there any way to accomplish this?
There is three ways
a) The simple "CONFIRMED" patch posted by a collegue of mine little more
than a year ago (see archives).
b) Use CONNMARK as a ruleset counter instead of looking for state
ESTABLISHED,RELATED. Mark accepted traffic with a specific CONNMARK and
then look for this mark rather than the state.
Note that in both cases special care is needed to make sure you look at
traffic or addresses in the "original" direction. See the conntrack match.
Also beware of related connections such as the data channel of FTP
connection etc.
Regards
Henrik
More information about the netfilter-devel
mailing list